How Will the GDPR Affect Your US Business

Written by JP La Torre

Though there is a Freedom of Information Act, legislation that provides public access to public information for complying international countries, there is also a right to privacy. This security need is the reason why various metrics are applied globally in different manners—and by individual governments—to protect the personal information of their citizens. The European Union (EU) is the latest governing body to address the right of citizens to be forgotten online. The recently formulated General Data Protection Regulation (GDPR) aims to protect citizens of its member states from data abuse (using personal information for a purpose different from the original intention).

This regulation was approved by the EU parliament on 14th April 2016 and is expected to come into force on 25th May 2018. However, there has been a Data Protection Directive (officially referred to as Directive 95/46/EC) in place in the EU since 24th October 1995 that supposedly harmonized data protection laws and the transfer of personal data to non-EU countries.

So, why is the GDPR important to comply with?

The GDPR Explained

The Directive-95/46/EY was not a law but a legislative act that set out to ‘protect’ data. It allowed for interpretation by individual member country’s national law and, therefore, was not necessarily enforceable. The GDPR ensures an identical approach for all countries on how data protection is applied and how the violation of the law is punishable.

The GDPR provides data subjects (see below) with more control over their personal data, and allows them to seek compensation should a data breach occur. Therefore, before the due date, it is advisable for every online company to review its data collection practices and maintain compliance with the new regulations—even if your business is not based in the EU, as you may still be affected. This law applies to any country where its members interact with the data of individuals who live in the EU.

GDPR Terminology

Data Subject:

A data subject is the owner of their personal information and can be directly or indirectly identified by name, identification number or an online identifier.

Data Controller:

A data controller is a person or legal entity that seeks to use and process personal data.

How Do I Know That I Have Committed a Data Breach?

The GDPR stipulates that data controllers should not use personal data for any purpose other than the initially intended and specified use. Beyond the initial scope of intention, companies need to get the data owner’s consent or permission from the Supervisory Authority to use the data collected for an alternate purpose.

This legislation is an update to the existing regulatory environment of the EU. It is also a more significant regulation than the Directive 95/46/EC that works according to the below principles.

8 Major Principles of the GDPR

1. The Principle of Processing Data Fairly and Lawfully.
This principle stipulates that personal data should be processed in a manner that satisfies relevant conditions. Personal data shall only be processed when at least one of the following conditions are met:
—The data owner has given consent to the data processing.
—The data processing is necessary to support contract performance where the data subject is a party.
—The data processing is a request to comply with legal obligations or the processing is to protect the data subject’s interests.
There are more conditions to meet in the case of sensitive personal data.

2. The Principle of Processing Data For a Specified Purpose.
Personal data should only be processed in a manner compatible with the initially specified purpose(s).

3. The Principle of Adequacy.
This principle stipulates that the amount of personal information held should be sufficient for the purpose for which the company is keeping it.

4. The Principle of Accuracy.
This principle requires data controllers to take necessary steps to ensure that personal information is accurate. Also, the source from which the information is obtained should be apparent and any challenges to accuracy should be handled diligently. Where necessary, this information should be kept up to date.

5. The Principle of Retention.
Personal data should only be held for a reasonable period for the purpose for which it is collected. The information should be deleted if no longer needed for the specified reason.

6. The Principle of Data Subject Rights.
Personal data should be processed in a manner that gives the data subject the right to access the information and object to any processing that may cause damage/take any step that he or she may deem necessary to give justice to the use of their personal information.

7. The Principle of Security.
Personal data should be protected from loss, use, destruction, unauthorized access, modification or disclosure.

8. The International Principle.
This principle exerts control on data sent outside European territories. It stipulates that personal data should not be transferred outside of the European Economic Area (EEA) unless that country assures adequate protection to the rights of the data subject.

Effects Of the GDPR Legislature On A Business

As a ‘data controller,’ the GDPR affects businesses even if they’re not actually based in the EU due to the following:

A loss of useful data for future reference: If a user (data subject) perceives that a company no longer requires his or her data for the initial purpose of its collection, he or she may have the data erased. Companies may lose information useful to future decision making.

Hefty penalties for breaching the above principles: When a breach occurs, the Supervisory Authority will need to be informed within 72 hours. Failure to do so will incur the following charges: 4% of a company’s annual global turnover or £20 million. And or an additional 2% fine for not reporting to the Supervisory Authority.

Gain or loss of business: The GDPR will improve a company’s competitive advantage if the business complies with the legislature. Users (data subjects) will prefer being associated with GDPR-compliant firms. If, however, companies act contrary to the legislative measures, they may be sure to lose business and users.

In conclusion, the GDPR is believed to safeguard user information from the great dangers to privacy that have been evolving recently. Personal data has been subject to broad exposure especially emanating from permissions granted by internet giants like Amazon, Google, and others. A recent development of user information sabotage was the Cambridge Analytica Scandal where user information was manipulated to influence the US election.

Watch out! Come 25th May 2018; no more user information misuse will go unpunished, whether your business is in the US, the EU or anywhere else in the world. Update your company’s personal data and privacy policy soon to comply with the regulation and demonstrate to your users that you’re protecting and processing their information with due care.

Caylent offers DevOps-as-a-Service to high growth companies looking for help with microservices, containers, cloud infrastructure, and CI/CD deployments. Our managed and consulting services are a more cost-effective option than hiring in-house and we scale as your team and company grow. Check out some of the use cases and learn how we work with clients by visiting our DevOps-as-a-Service offering.